1 / 18

What Gives? A Hybrid Algorithm for Error Trace Explanation

What Gives? A Hybrid Algorithm for Error Trace Explanation. Introduction. Working with error traces is frequent while debugging Error trace: sequence of statements that violate an assertion Understanding an error trace is key A “good” explanation of an error trace should preferably

jagger
Download Presentation

What Gives? A Hybrid Algorithm for Error Trace Explanation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What Gives?A Hybrid Algorithm forError Trace Explanation

  2. Introduction • Working with error traces is frequent while debugging • Error trace: sequence of statements that violate an assertion • Understanding an error trace is key • A “good” explanation of an error trace should preferably • reproduce the error • display the flow of error between statements • be minimal (show only what is necessary) • Current methods do not offer automatic yet good explanation • Debugger features (watchpoints, breakpoints) are manual • Dynamic Slicing [1] may keep irrelevant statements in explanation [1] H. Agrawal and J. R. Horgan. Dynamic Program Slicing.PLDI ‘90

  3. Introduction 1 2 3 4 5 x=3; y=5; z1=y+x; z2=y-x; assert(z2>z1); • Example: Dynamic slice on z1 and z2 will return the entire trace • Semantically, the value of y is irrelevant to the error • Semantics-aware slice with explanatory labels [2] • Compute “interpolants” as labels after each statement in the trace • Elide statements surrounded by the same label (e.g., y=5) • Convention: no label after statement = previous label present there [2] E. Ermis, M. Schaf, and T. Wies. Error invariants. FM ‘12

  4. Interpolant • Interpolant of an unsatisfiable formula is a formula such that • is unsatisfiable • is only on the common variables of and • Note: There exist many (possibly infinite number of) interpolants 1 2 3 4 5 Example: After statement 3 : : : x=3; y=5; z1=y+x; z2=y-x; assert(z2>z1);

  5. Desirable Properties of Explanations • Soundness of explanation – error is reproduced • Statements in explanation form an unsatisfiable formula • Minimality of explanation • No statement can be further elided without loss of soundness • Existing work in interpolant-based explanation [2] guarantees neither. • Generate “candidate” interpolant sequence as labels • Greedy minimisation algorithm: substitute each label at a different locationand check if it is an interpolant at that location • If yes, all statements in between are deemed irrelevant

  6. Problem with Interpolants as Labels 1 2 3 4 5 • All labels are interpolants • Explanation produces the slice: 2, 4, 5 • is satisfiable! • Does not preserve soundness • Each label captures relevant part of state leading to error, but the flow of error is lost z=1; x=3; x1=x+1; z1=z+1; assert(x1>5 && z1>5);

  7. Ensuring Soundness • To capture flow of error, each label must result from the previous label and the intervening statement – “Inductive property” • Only produce Inductive InterpolantLabellings (IILs) Theorem 1: Slices produced from IILs are always sound • Inductive property forbids the labelling in previous slide • does not imply • Example IIL produced by our algorithm • Slice produced: 1, 4, 5 1 2 3 4 5 z=1; x=3; x1=x+1; z1=z+1; assert(x1>5 && z1>5);

  8. Ensuring Soundness • Why are slices from IILs sound? • Inductive interpolants surrounding a statement form a Hoare triple • Sequence of inductive interpolants (IILs) forms a Hoare proof of error trace • IILs are specialised Hoare proofs • that prove Error Trace • whose labels are restricted to interpolants • (Non-inductive) Interpolantlabellings are not guaranteed to be Hoare proofs • Results in their unsoundness

  9. Ensuring Minimality • No formal metric known, our proposal: based on stationariness • An IIL is stationary at statement S if the labels around S are the same • E.g.: stationary at 2, stationary at 3 • An IIL L is maximally stationaryiff no IIL produces a slice that is a subset of L • Since IILs produce only sound slices, L is a “minimal” labelling that is sound 1 2 3 4 5 z=1; x=3; x1=x+1; z1=z+1; assert(x1>5 && z1>5);

  10. Ensuring Minimality • Why are slices from maximally stationary IILs minimal? • Theorem 2 Slices from maximally stationary IILs form a MUC For every MUC there exists a maximally stationary IIL • Minimal Unsatisfiable Core is a subset C of a formula such that • C is unsatisfiable • Any proper subset of C is satisfiable • Algorithm to compute maximally stationary IIL from a MUC • Sound and minimal by definition

  11. Algorithm • Step 1: Obtain an unsatisfiable core • If is a MUC, labelling is minimal • Step 2: For every statement in the trace • If occurs in then is the formula projected on the variables of statements in subsequent to • Otherwise is the same as • Projection ensures that only the state of relevant variables is kept • Algorithm produces only IILs (proof in paper)

  12. Algorithm

  13. Algorithm Walkthrough • Minimal Core: 1 2 3 4 5 x=3; y=5; z1=y+x; z2=y-x; assert(z2>z1);

  14. Discussion • Algorithm is a combination of SP (forward) and WP (backward) • SP and WP alone may keep irrelevant statements in the explanation • Our algorithm uses knowledge from “both directions” • Forward: set of statements relevant to error • Backward: set of variables to project on at each label 1 2 3 4 5 z=1; x=3; x1=x+1; z1=z+1; assert(x1>5 && z1>5); 1 2 3 4 5 z=1; x=3; x1=x+1; z1=z+1; assert(x1>5 && z1>5);

  15. Experimental Evaluation • Implemented on the TRACER symbolic execution framework [3] • Input traces provided manually, converted to SSA automatically • Arrays and the heap modelled using UF theory + McCarthy axioms • Projection through Fourier-Motzkin quantifier elimination (reals) • No need to depend on interpolating prover or construct refutation proof • MUC obtained through [4] but any method is applicable [3] J. Jaffar, V. Murali, J. Navas and A. Santosa. TRACER: A Symbolic Execution Tool for Verification. CAV ‘12 [4] J. Bailey and P. J. Stuckey. Discovery of Minimal Unsatisfiable Subsets of Constraints using Hitting Set Dualization. PADL ‘05

  16. Case Study 1: Shell Sort • Sorting two elements (11, 14) returns (0, 11) shell_sort(inta[], int size) inth=1, i, j; do h=h*3; while(h <= size); do { h /= 3; for(i=h; i<size; i++) { intv = a[i]; for(j=i; j>=h && a[j-h]>v; j-=h) a[j] = a[j-h]; if(i != j) a[j] = v; } } while(h != 1); 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 a[0]=11; a[1]=14; a[2]=0; size=3; h=1; i=h; v=a[i]; j=i; i++; v=a[i]; j=i; a[j]=a[j-h]; j=j-h; a[j]=a[j-h]; j=j-h; a[j]=v; i++; assert(a[0]==11); assert(a[1]=14);

  17. Case Study 2: schedule2 • From SIR repository, contains arrays and pointers • Implements a priority scheduler • “Seeded” bug: prio=1 instead of default -1 • Trace of size 129 statements reduced to 16

  18. Conclusion • Interpolant-based labels are attractive for error explanation • IILs produce sound explanations • MUC captures essence of error • Maximally stationary IILs (equivalent to MUCs) produce minimal explanations • A new algorithm to compute maximally stationary IIL from MUC • Produces sound and minimal explanations • No prior work guarantees this • Case study on two examples

More Related